Scroll to navigation

pam_oar_adopt(8) OAR commands pam_oar_adopt(8)

NAME

pam_oar_adopt - OAR's pam_exec script to manage ssh connections to OAR nodes

SYNOPSIS

pam_oar_adopt -a for PAM account

pam_oar_adopt -s for PAM session

DESCRIPTION

This script is part of the OAR resources and jobs manager software.

PAM can be configured to let users ssh (basic ssh, not via oarsh) to OAR nodes and place the created processes in the job's cgroup. It will also prevent any ssh connection to nodes that are not properly reserved.

This uses the pam_exec module with the pam_oar_adopt script and the pam_env module.

Once enabled, if a user has reserved a node and then connects to it using ssh, PAM will find out the job's cgroup and place the ssh remote process in it. It will also load the job's environment variables.

If a user tries to ssh to a node that is either not reserved, or not reserved in full (all compute resources of the node must be reserved) or reserved multiple times (e.g. 2 different jobs reserving each a subset of the node's compute resources, or using the timesharing job type), the connection will fail.

Please note that while using ssh is very convenient, oarsh provides extra features to connect to jobs.

CONFIGURATION

To enable this feature, one must configure pam_oar_adopt in PAM and activate it in its configuration file (/etc/oar/pam_oar_adopt.conf).

PAM CONFIGURATION

Make sure the ssh service (on port 22, not OAR's dedicated ssh service on port 6667) enables PAM. /etc/ssh/sshd_config must contain:

 UsePAM yes

Follows an example of configuration of PAM with pam_oar_adopt on Debian-like systems:

/etc/pam.d/common-account
The following can be set as the first PAM directive in common-account: 

 account required      pam_exec.so quiet stdout /usr/sbin/pam_oar_adopt -a
/etc/pam.d/common-session and /etc/pam.d/common-session-noninteractive
The following can be set as the last PAM directives in common-session and common-session-noninteractive: 

 session required   pam_exec.so quiet stdout /usr/sbin/pam_oar_adopt -s
 session optional   pam_env.so readenv=1 envfile=/var/lib/oar/pam.env

On Debian-like systems, one can also use the pam-auth-update command to configure PAM and, by default, this PAM profile is installed with the oar-node package.

PAM_OAR_ADOPT CONFIGURATION

The /etc/oar/pam_oar_adopt.conf file contains the following configuration options:

By default, pam_oar_adopt is disabled.

[DEPRECATED] For compatibility reasons, if the /etc/oar/pam_oar_adopt_enabled file exists, regardless of /etc/oar/pam_oar_adopt.conf, then pam_oar_adopt is enabled.

In disabled mode, pam_oar_adopt will warn users about what would have been done if it was enabled. Possible values are:
In enforced mode, pam_oar_adopt will ignore (not prevent) ssh connections from users with a UID lower than USER_UID_MIN. This is useful to allow system users to connect to nodes without being part of a job. The default value is 1000.

NOTES

It is a good practice to prevent users to connect to OAR nodes outside of jobs (except system users: at least root and the oar user).

Configuring pam_oar_adopt does it, but it can also be enforced using pam_access or the AllowedUsers directive in /etc/ssh/sshd_config.

Conversely, in an installation where either of OAR's deploy or cosystem job types is used, which requires the oar-node package to also be installed on the deploy or cosystem frontend, it is usually normal to let any user ssh to that frontend regardless of jobs. As a result on such a frontend, pam_oar_adopt should not be installed (on Debian-like systems, one may use pam-auth-update to deactivate the oar-node PAM profile).

SEE ALSO

pam(7), pam.conf(5), pam.d(5), pam_exec(8), pam_env(7), pam_access(8), pam-auth-update(8), ssh(1), sshd_config(5), oarsh(1)

COPYRIGHTS

 Copyright 2003-2025 Laboratoire d'Informatique de Grenoble (http://www.liglab.fr). This software is licensed under the GNU General Public License Version 2 or above. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
2025-03-24 pam_oar_adopt